The most widely used priv acy requiremen ts are anon ymit and minim um spatial area The anon ymit requiremen guaran tees that user lo cation is indistinguishable among users On the other hand the minim um spatial area requiremen guaran tees that use ID: 67810
Download Pdf The PPT/PDF document "Spatial Cloaking Algorithms for Lo catio..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
SpatialCloakingAlgorithmsforLocationPrivacyChi-YinChowDepartmentofComputerScienceandEngineeringUniversityofMinnesota,Minneapolis,MNSYNONYMScationcloaking;locationblurring;locationperturbation;locationanonymizationDEFINITIONSpatialcloakingisatechniquetoblurauser'sexactlocationintoaspatialregioninordertopreserveherlocationprivacy.Theblurredspatialregionmustsatisfytheuser'sspeciedprivacyrequirement.Themostwidelyusedprivacyrequirementsarek-anonymityandminimumspatialarea.Thek-anonymityrequirementguaranteesthatauserlocationisindistinguishableamongkusers.Ontheotherhand,theminimumspatialarearequirementguaranteesthatauserexactlocationmustbeblurredintoaspatialregionwithanareaofatleastA,suchthattheprobabilityoftheuserbeinglocatedinanypointwithinthespatialregionis1A.Auserlocationmustbeblurredbyaspatialcloakingalgorithmeitherontheclientsideoratrustedthird-partybeforeitissubmittedtoalocation-baseddatabaseserver.HISTORICALBACKGROUNDTheemergenceofthestate-of-the-artlocation-detectiondevices,e.g.,cellularphones,globalpositioningsystem(GPS)devices,andradio-frequencyidentication(RFID)chips,hasresultedinalocation-dependentinformationaccessparadigm,knownaslocation-basedservices(LBS).InLBS,mobileusershavetheabilitytoissuesnapshotorcontinuousqueriestothelocation-baseddatabaseserver.Examplesofsnapshotqueriesinclude\whereismynearestgasstation"and\whataretherestaurantswithinonemileofmylocation",whileexamplesofcontinuousqueriesinclude\whereismynearestpolicecarforthenextonehour"and\continuouslyreportthetaxiswithinonemileofmycarlocation".Toobtainthepreciseanswerofthesequeries,theuserhastocontinuouslyprovideherexactlocationinformationtoadatabaseserver.Withuntrustworthydatabaseservers,anadversarymayaccesssensitiveinformationaboutindividualsbasedontheirlocationinformationandqueries.Forexample,anadversarymayidentifyauser'shabitsandinterestsbyknowingtheplacesshevisitsandthetimeofeachvisit.Thek-anonymitymodel[12,13]hasbeenwidelyusedinmaintainingprivacyindatabases[6,8,9,10].Themainideaistohaveeachtupleinthetableask-anonymous,i.e.,indistinguishableamongotherk 1tuples.However,noneofthesetechniquescanbeappliedtopreserveuser privacyforLBS,mainlyforthereasonthattheseapproachesguaranteethek-anonymityforasnapshotofthedatabase.InLBS,theuserlocationiscontinuouslychanging.Suchdynamicbehaviorrequirescontinuousmaintenanceofthek-anonymitymodel.InLBS,k-anonymityisauserspeciedprivacyrequirementwhichmayhaveadierentvalueforeachuser.SCIENTIFICFUNDAMENTALSSpatialcloakingalgorithmscanbedividedintotwomajortypes:k-anonymityspatialcloak-ing[3,4,5,7,11,2]anduncertaintyspatialcloaking[1].k-anonymityspatialcloakingaimstobluruserlocationsintospatialregionswhichsatisfytheuser'sspeciedk-anonymityrequirement,whileuncertaintyspatialcloakingaimstobluruserlocationsintospatialregionswhichstratifytheuser'sspeciedminimumspatialarearequirement.Adaptiveintervalcloaking.Thisapproachassumesthatallusershavethesamek-anonymityrequirements[3].Foreachuserlocationupdate,thespatialspaceisrecursivelydividedinaKD-tree-likeformatuntilaminimumk-anonymoussubspaceisfound.Suchatechniquelacksscalabilityasitdealswitheachsinglemovementofeachuserindividually.Figure1depictsanexampleoftheadaptiveintervalcloakingalgorithm,inwhichthek-anonymityrequirementisthree.IfthealgorithmwantstocloakuserA'slocation,thesystemspaceisrstdividedintofourequalsubspaces,h(1;1);(2;2)i,h(3;1);(4;2)i,h(1;3);(2;4)i,andh(3;3);(4;4)i.SinceuserAislocatedinthesubspacesh(1;1);(2;2)iwhichcontainsatleastkusers,thesesubspacesarefurtherdividedintofourequalsubspaces,h(1;1);(1;1)i,h(2;1);(2;1)i,h(1;2);(1;2)i,andh(2;2);(2;2)i.However,thesubspacecontaininguserAdoesnothaveatleastkusers,sotheminimumsuitablesubspaceish(1;1);(2;2)i.Sincetherearethreeusers,D,E,andFlocatedinthecell(4,4),thiscellisthecloakedspatialregionoftheirlocations. \n\nFigure1:Adaptiveintervalcloaking(k=3)CliqueCloak.Thisalgorithmassumesadierentk-anonymityrequirementforeachuser[3].CliqueCloakconstructsagraphandcloaksuserlocationswhenasetofusersformsacliqueinthegraph.Alluserssharethesamecloakedspatialregionwhichisaminimumboundingboxcoveringthem.Then,thecloakedspatialregionisreportedtoalocation-baseddatabaseserver2 astheirlocations.Userscanalsospecifythemaximumareaofthecloakedregionwhichisconsideredasaconstraintonthecliquegraph,i.e.,thecloakedspatialregioncannotbelargerthantheuser'sspeciedmaximumacceptablearea.k-areacloaking.Thisschemekeepssuppressingauserlocationintoaregionwhichcoversatleastk-1othersensitiveareas,e.g.,restaurants,hospital,andcinema,aroundtheuser'scurrentsensitivearea[5].Thus,theuserresidentareaisindistinguishableamongksensitiveareas.Thisspatialcloakingalgorithmisbasedonamapwhichispartitionedintozones,andeachzonecontainsatleastksensitiveareas.Thus,thecontinuousmovementofusersisjustabstractedasmovingbetweenzones.Userscanspecifytheirownprivacyrequirementsbygeneralizingpersonalizedsensitivitymaps.Hilbertk-anonymizingspatialregion(hilbASR).Here,usersaregroupedtogetherintovariantbucketsbasedontheHilbertorderingofuserlocationsandtheirownk-anonymityrequirements[7].UsingthedynamichilbASR,thecloakedspatialregionsofusersAtoFcanbedeterminedbyusingtwoequationsstart(u)andend(u)whicharedepictedinFigure2,wherestart(u)andend(u)indicatethestartandendrankingsofacloakedspatialregion,respectively,uisauseridentity,andthedottedlinerepresentstheHilbertordering. \n\n \n \n\n \n \n\n \n \n\r\n \n \n\n \n\n\nFigure2:hilbASRNearest-neighbork-anonymizingspatialregion(nnASR).Thisistherandomizedversionofak-nearestneighborscheme[7].Forauserlocationu,thealgorithmrstdeterminesasetSofk-nearestneighborsofu,includingu.FromS,thealgorithmselectsarandomuseru0andformsanewsetS0thatincludesu0andthek 1nearestneighborsofu0.Then,anothernewsetS00isformedbytakingaunionbetweenSandS00.Finally,therequiredcloakedspatialregionistheboundingrectangleorcirclewhichcoveralltheusersofS00.Uncertainty.Thisapproachproposestwouncertaintyspatialcloakingschemes,uncertaintyregionandcoverageofsensitivearea[1].Theuncertaintyregionschemesimplyblursauserlocationintoanuncertaintyregionataparticulartimet,denotedasU(t).Thelargerregionsizemeansamorestrictprivacyrequirement.Thecoverageofsensitiveareaschemeisproposedforpreservingthelocationprivacyofuserswhoarelocatedinasensitivearea,e.g.,hospitalorhome.ThecoverageofsensitiveareaforauserisdenedasCoverage=Area(sensitivearea)Area(uncertaintyregion).3 Thelowervalueofthecoverageindicatesamorestrictprivacyrequirement.Casper.Caspersupportsboththek-anonymityandminimumspatialarearequirements[11].Systemuserscandynamicallychangetheirownprivacyrequirementsatanyinstant.Itproposestwogrid-basedpyramidstructurestoimprovesystemscalability,completepyramidandincompletepyramid. \n \n\r \n \n \n \n\r !"# !$# !# !%#(a)Completepyramid \n\r\n\n \n\n\n\n\n\n\n \r!\r\n"# \r!\r\n$# \r!\r\n# \r!\r\n%#(b)IncompletepyramidFigure3:Grid-basedpyramiddatastructuresCompletepyramid.Figure3(a)depictsthecompletepyramiddatastructurewhichhierarchicallydecomposesthespatialspaceintoHlevelswherealevelofheighthhas4hgridcells.Therootofthepyramidisofheightzeroandhasonlyonegridcellthatcoversthewholespace.Eachpyramidcellisrepresentedas(cid;N),wherecidisthecellidentier,andNisthenumberofmobileuserswithinthecellboundaries.Thepyramidstructureisdynamicallymaintainedtokeeptrackofthecurrentnumberofmobileuserswithineachcell.Inaddition,thealgorithmkeepstrackofahashtablethathasoneentryforeachregisteredmobileuserwiththeform(uid;profile;cid),whereoidisthemobileuseridentier,profilecontainstheuserspeciedprivacyrequirement,andcidisthecellidentierinwhichthemobileuserislocated.cidisalwaysinthelowestlevelofthepyramid(theshadedlevelinFigure3(a)).Incompletepyramid.Themainideaoftheincompletepyramidstructureisthatnotallgridcellsareappropriatelymaintained.TheshadedcellsinFigure3(b)indicatethelowestlevelcellsthataremaintained.Cloakingalgorithm.Casperadoptsabottom-upcloakingalgorithmwhichstartsatacellwheretheuserislocatedatfromthelowestmaintainedlevel,andthentraversesupthepyramidstructureuntilacellsatisfyingtheuserspeciedprivacyrequirementisfound.Theresultingcellisusedasthecloakedspatialregionoftheuserlocation.Inadditiontotheregularmaintenanceproceduresasthatofthebasiclocationanonymizer,theadaptivelocationanonymizerisalsoresponsibleonmaintainingtheshapeoftheincompletepyramid.Duetothehighlydynamicenvironment,theshapeoftheincompletepyramidmayhavefrequentchanges.Twomainoperationsareidentiedtomaintaintheeciencyoftheincompletepyramidstructure,namely,cellsplittingandcellmerging.4 Inthecellsplittingoperation,acellcidatlevelineedstobesplitintofourcellsatleveli+1ifthereisatleastoneuseruincidwithaprivacyprolethatcanbesatisedbysomecellatleveli+1.Tomaintainsuchcriterion,Casperkeepstrackofthemostrelaxeduserurforeachcell.Ifanewlycomingobjectunewtothecellcidhasmorerelaxedprivacyrequirementthanur,thealgorithmchecksifsplittingcellcidintofourcellsatleveli+1wouldresultinhavinganewcellthatsatisestheprivacyrequirementsofunew.Ifthisisthecase,thealgorithmwillsplitcellcidanddistributeallitscontentstothefournewcells.However,ifthisisnotthecase,thealgorithmjustupdatestheinformationofur.Incaseoneoftheusersleavescellcid,thealgorithmjustupdateurifnecessary.Inthecellmergingoperation,fourcellsatleveliaremergedintoonecellatahigherleveli 1onlyifalltheusersinthelevelicellshavestrictprivacyrequirementsthatcannotbesatisedwithinleveli.Tomaintainthiscriterion,thealgorithmkeepstrackofthemostrelaxeduseru0forthefourcellsoflevelitogether.Ifsuchuserleavesthesecells,thealgorithmhastocheckuponallexistingusersandmakesurethattheystillneedcellsatleveli.Ifthisisthecase,thealgorithmjustupdatesthenewinformationofu0.However,ifthereisnoneedforanycellatleveli,thealgorithmmergesthefourcellstogetherintotheirparentcell.Inthecaseofanewuserenteringcellsatleveli,thealgorithmjustupdatestheinformationofu0rifnecessary.Peer-to-peerspatialcloaking.Thisalgorithmalsosupportsboththek-anonymityandminimumspatialarearequirements[2].Themainideaisthatbeforerequestinganylocation-basedservice,themobileuserwillformagroupfromherpeersviasingle-hopand/ormulti-hopcommunication.Then,thespatialcloakedareaiscomputedastheregionthatcoverstheentiregroupofpeers.Figure4givesanillustrativeexampleofpeer-to-peerspatialcloaking.ThemobileuserAwantstondhernearestgasstationwhilebeingveanonymous,i.e.,theuserisindistinguishableamongveusers.Thus,themobileuserAhastolookaroundandndfourotherpeerstocollaborateasagroup.Inthisexample,thefourpeersareB,C,D,andE.Then,themobileuserAcloaksherexactlocationintoaspatialregionthatcoverstheentiregroupofmobileusersA,B,C,D,andE.ThemobileuserArandomlyselectsoneofthemobileuserswithinthegroupasanagent.IntheexamplegiveninFigure4,themobileuserDisselectedasanagent.Then,themobileuserAsendsherquery(i.e.,whatisthenearestgasstation)alongwithhercloakedspatialregiontotheagent.Theagentforwardsthequerytothelocation-baseddatabaseserverthroughabasestation.Sincethelocation-baseddatabaseserverprocessesthequerybasedonthecloakedspatialregion,itcanonlygivealistofcandidateanswersthatincludestheactualanswersandsomefalsepositives.Aftertheagentreceivesthecandidateanswers,itforwardsthecandidateanswerstothemobileuserA.Finally,themobileuserAgetstheactualanswerbylteringoutallthefalsepositives.KEYAPPLICATIONSSpatialcloakingtechniquesaremainlyusedtopreservelocationprivacy,buttheycanbeusedinavarietyofapplications.Location-basedservices5 \n\r\n\rFigure4:Anexampleofpeer-to-peerspatialcloakingSpatialcloakingtechniqueshavebeenwidelyadoptedtobluruserlocationinformationbeforeitissubmittedtothelocation-baseddatabaseserver,inordertopreserveuserlocationprivacyinLBS.SpatialdatabaseSpatialcloakingtechniquescanbeusedtodealwithsomespecicspatialqueries.Forexample,givenanobjectlocation,ndtheminimumareawhichcoverstheobjectandotherk 1objects.DataminingToperformdataminingonspatialdata,spatialcloakingtechniquescanbeusedtoperturbindividuallocationinformationintolowerresolutiontopreservetheirprivacy.Sensor-basedmonitoringsystemWirelesssensornetworks(WSNs)promisetohaveavastsignicantacademicandcommercialimpactbyprovidingreal-timeandautomaticdatacollection,monitoringapplicationsandobjectpositioning.Althoughsensor-basedmonitoringorpositioningsystemsclearlyoerconvenience,themajorityofpeoplearenotconvincedtousesuchkindsofsystemsbecauseofprivacyissues.Toovercomethisproblem,anin-networkspatialcloakingalgorithmcanbeusedtobluruserlocationsintospatialregionswhichsatisfyuserspeciedprivacyrequirementsbeforelocationinformationissenttoasinkorbasestation.FUTUREDIRECTIONSExistingspatialcloakingalgorithmshavelimitedapplicabilityastheyare:(a)applicableonlyforsnapshotlocationsandqueries.Aslocation-basedenvironmentsarecharacterizedbythecontinuousmovementsofmobileusers,spatialcloakingtechniquesshouldallowcontinuousprivacypreservationforbothuserlocationsandqueries.Currently,existingspatialcloakingalgorithmsonlysupportsnapshotlocationandqueries.(b)notdistinguishingbetweenlocationandqueryprivacy.Inmanyapplications,mobileusersdonotmindthattheirexactlocationinformationisrevealed,however,theywouldliketohidethefactthattheyissuesomelocation-basedqueriesasthesequeriesmayrevealtheirpersonalinterests.Sofar,noneoftheexisting6 spatialcloakingalgorithmssupportsuchrelaxedprivacynotionwhereitisalwaysassumedthatusershavetohideboththeirlocationsandthequeriestheyissue.Examplesofapplicationsthatcallforsuchnewrelaxednotionofprivacyinclude:(1)Businessoperation.Acourierbusinesscompanyhastoknowthelocationofitsemployeestodecidewhichemployeeisthenearestonetocollectacertainpackage.However,thecompanyisnotallowedtokeeptrackoftheemployees'behaviorintermsoftheirlocation-basedqueries.Thus,companyemployeesrevealtheirlocationinformation,butnottheirqueryinformation.(2)Monitoringsystem.Monitoringsystems(e.g,transportationmonitoring)relyontheaccuracyofuserlocationstoprovidetheirvaluableservices.Inordertoconvinceuserstoparticipateinthesesystems,certainprivacyguaranteesshouldbeimposedontheirbehaviorthroughguaranteeingtheprivacyoftheirlocation-basedqueriesalthoughtheirlocationswillberevealed.CROSSREFERENCES1.PrivacyIssuesinLocation-basedServices2.PrivacyandSecurityChallengesinGeospatialInformationSystems3.PrivacyPreservingofGPSTraces4.LocationBasedServices:PracticesandProductsRECOMMENDEDREADING[1]R.Cheng,Y.Zhang,E.Bertino,andS.Prabhakar(2006)PreservingUserLocationPrivacyinMobileDataManagementInfrastructures.InProceedingsofPrivacyEnhancingTechnologyWorkshop.[2]C.-Y.Chow,M.F.Mokbel,andX.Liu(2006)APeer-to-PeerSpatialCloakingAlgorithmforAnonymousLocation-basedServices.InProceedingsoftheACMSymposiumonAdvancesinGeographicInformationSystems,ACMGIS.[3]B.GedikandL.Liu(2005)ACustomizablek-AnonymityModelforProtectingLocationPrivacy.InProceedingoftheInternationalConferenceonDistributedComputingSystems,ICDCS.[4]M.GruteserandD.Grunwald(2003)AnonymousUsageofLocation-BasedServicesThroughSpatialandTemporalCloaking.InProceedingsoftheInternationalConferenceonMobileSystems,Applications,andServices,MobiSys.[5]M.GruteserandX.Liu(2004)ProtectingPrivacyinContinuousLocation-TrackingApplications.IEEESecurityandPrivacy,2(2):28{34.[6]R.J.B.Jr.andR.Agrawal(2005)DataPrivacythroughOptimalk-Anonymization.InProceedingsoftheInternationalConferenceonDataEngineering,ICDE.[7]P.Kalnis,G.Ghinita,K.Mouratidis,andD.Papadias(2006)PreservingAnonymityinLocationBasedServices.TechnicalReportTRB6/06,DepartmentofComputerScience,NationalUniversityofSingapore.[8]K.LeFevre,D.DeWitt,andR.Ramakrishnan(2006)MondrianMultidimensionalk-Anonymity.InProceedingsoftheInternationalConferenceonDataEngineering,ICDE.[9]K.LeFevre,D.J.DeWitt,andR.Ramakrishnan(2005)Incognito:EcientFull-Domaink-Anonymity.InProceedingsoftheACMInternationalConferenceonManagementofData,SIGMOD.7 [10]A.MeyersonandR.Williams.(2004)OntheComplexityofOptimalK-Anonymity.InProceedingsoftheACMSymposiumonPrinciplesofDatabaseSystems,PODS.[11]M.F.Mokbel,C.-Y.Chow,andW.G.Aref(2006)TheNewCasper:QueryProcesingforLocationServiceswithoutCompromisingPrivacy.InProceedingsoftheInternationalConferenceonVeryLargeDataBases,VLDB.[12]L.Sweeney(2002)Achievingk-anonymityPrivacyProtectionusingGeneralizationandSuppres-sion.InternationalJournalonUncertainty,FuzzinessandKnowledge-basedSystems,10(5):571{588.[13]L.Sweeney(2002)k-anonymity:AModelforProtectingPrivacy.InternationalJournalonUncertainty,FuzzinessandKnowledge-basedSystems,10(5):557{570.8 SpatialCloakingAlgorithmsforLocationPrivacyChi-YinChowDepartmentofComputerScienceandEngineeringUniversityofMinnesota,Minneapolis,MN55414SYNONYMScationcloaking;locationblurring;locationperturbation;locationanonymizationDEFINITIONSpatialcloakingisatechniquetoblurauser'sexactlocationintoaspatialregioninordertopreserveherlocationprivacy.Theblurredspatialregionmustsatisfytheuser'sspeciedprivacyrequirement.Themostwidelyusedprivacyrequirementsarek-anonymityandminimumspatialarea.Thek-anonymityrequirementguaranteesthatauserlocationisindistinguishableamongkusers.Ontheotherhand,theminimumspatialarearequirementguaranteesthatauserexactlocationmustbeblurredintoaspatialregionwithanareaofatleastA,suchthattheprobabilityoftheuserbeinglocatedinanypointwithinthespatialregionis1A.Auserlocationmustbeblurredbyaspatialcloakingalgorithmeitherontheclientsideoratrustedthird-partybeforeitissubmittedtoalocation-baseddatabaseserver.MAINTEXTThisarticlesurveysexistingspatialcloakingtechniquesforpreservingusers'locationprivacyinlocation-basedservices(LBS)whereusershavetocontinuouslyreporttheirlocationstothedatabaseserverinordertoobtaintheservice.Forexample,auseraskingaboutthenearestgasstationhastoreportherexactlocation.Withuntrustworthyservers,reportingthelocationinformationmayleadtoseveralprivacythreats.Forexample,anadversarymaycheckauser'shabitandinterestbyknowingtheplacesshevisitsandthetimeofeachvisit.Thekeyideaofaspatialcloakingalgorithmistoperturbanexactuserlocationintoaspatialregionthatsatisesuserspeciedprivacyrequirement,e.g.,k-anonymityrequirementguaranteesthatauserisindistinguishableamongkusers.CROSSREFERENCES1.PrivacyIssuesinLocation-basedServices2.PrivacyandSecurityChallengesinGeospatialInformationSystems3.PrivacyPreservingofGPSTraces4.LocationBasedServices:PracticesandProducts9